Analysis
-
max time kernel
36s -
max time network
89s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
06-02-2022 13:12
Static task
static1
Behavioral task
behavioral1
Sample
45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c.exe
Resource
win10v2004-en-20220113
General
-
Target
45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c.exe
-
Size
5.7MB
-
MD5
5d9500398ebb9e211512cac02183eadb
-
SHA1
6d249f3a6480f359d8a203594f1f199d87dd8b37
-
SHA256
45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c
-
SHA512
5f3274446838b01f341f811f4abbf7219bd3b7c136fadbb0ccde3e94e4908ca0bb366db3163a8109869002b6a462cbcb27f1df14e3db8460c34d4414429e64b3
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
pub4.exepid process 3500 pub4.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c.execmd.exemsedge.exemsedge.exedescription pid process target process PID 2696 wrote to memory of 4572 2696 45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c.exe cmd.exe PID 2696 wrote to memory of 4572 2696 45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c.exe cmd.exe PID 2696 wrote to memory of 4572 2696 45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c.exe cmd.exe PID 4572 wrote to memory of 2300 4572 cmd.exe msedge.exe PID 4572 wrote to memory of 2300 4572 cmd.exe msedge.exe PID 4572 wrote to memory of 4068 4572 cmd.exe msedge.exe PID 4572 wrote to memory of 4068 4572 cmd.exe msedge.exe PID 4068 wrote to memory of 3632 4068 msedge.exe msedge.exe PID 4068 wrote to memory of 3632 4068 msedge.exe msedge.exe PID 2300 wrote to memory of 3648 2300 msedge.exe msedge.exe PID 2300 wrote to memory of 3648 2300 msedge.exe msedge.exe PID 2696 wrote to memory of 3500 2696 45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c.exe pub4.exe PID 2696 wrote to memory of 3500 2696 45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c.exe pub4.exe PID 2696 wrote to memory of 3500 2696 45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c.exe pub4.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c.exe"C:\Users\Admin\AppData\Local\Temp\45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\DreamTrips.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1qzLu73⤵
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffbf6eb46f8,0x7ffbf6eb4708,0x7ffbf6eb47184⤵PID:3648
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/14Ahe73⤵
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffbf6eb46f8,0x7ffbf6eb4708,0x7ffbf6eb47184⤵PID:3632
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\pub4.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\pub4.exe"2⤵
- Executes dropped EXE
PID:3500
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
78afdcc28744f3ccc897189551e60a14
SHA16408c2447363d821dc659254a324456ed16207ec
SHA256ad06579bc070fec03adb35db5fcba1015c52ac2c5dd2ffec9ecff4301bfe70c7
SHA5128e6e1433fef7868a51e78fe1f899afe608e1dc2dcf86a02f21fe579fa4b4eef36a9a63628a443067203e19cd31971d6599cccd091b74e1d5fca5d2aff4428078
-
MD5
c25faf98d787b358c72543e7e11917c8
SHA1911d1eb09ba90b071795842089d57d741f959ee3
SHA25686d72c90e984ebbaf8917bc49c16a68752f8e1e73e59f61eb004eb0b92e1ad40
SHA512b7e97564dcccc813cda0d6632fb5229a231b2606c2a3b01addb0b2889e7b20c433760b95b7f8273ff2fa423a848fde7aa8ef13b52605e93520b7475815cc2720
-
MD5
9d7fb45d27ca947c3de8dfc20a4bfe65
SHA11669a4eb54494813218d1753b8faa1c6bc88dc0a
SHA256ca2c2265df617e8932693569c3e6e109ff244599ca268a7e4fd0f7e5edbdfff5
SHA5122b82880e4de3311f93197d7433c83ec8e3f41e69e99db1c665b69807ef4716de6ca0cf1da340a30c03ca7b4810f767b7766733ec25d07e1a143d1208607d5558
-
MD5
9d7fb45d27ca947c3de8dfc20a4bfe65
SHA11669a4eb54494813218d1753b8faa1c6bc88dc0a
SHA256ca2c2265df617e8932693569c3e6e109ff244599ca268a7e4fd0f7e5edbdfff5
SHA5122b82880e4de3311f93197d7433c83ec8e3f41e69e99db1c665b69807ef4716de6ca0cf1da340a30c03ca7b4810f767b7766733ec25d07e1a143d1208607d5558